Change FormTagHelper to apply to all form tags.
#6156
Conversation
| TagBuilder tagBuilder; | ||
| if (Route == null) | ||
| TagBuilder tagBuilder = null; | ||
| if (Action == null && Controller == null && Route == null && _routeValues == null && Fragment == null && Area == null) |
There was a problem hiding this comment.
Will there ever be a case where _routeValues is non-null but empty? What gets generated in that case?
There was a problem hiding this comment.
Yes, that could happen if a user did <form asp-all-route-data="new Dictionary<string, string>()">. In that case the user is being explicit and providing attributes; we'd want to follow the normal FormTagHelper rendering path.
| @@ -1,4 +1,4 @@ | |||
| <html> | |||
| <html> | |||
There was a problem hiding this comment.
No clue. :thuglife:
| // null which is interpreted as true unless element includes an action attribute. | ||
| services.AddMvc().InitializeTagHelper<FormTagHelper>((helper, _) => helper.Antiforgery = false); | ||
| // Add MVC services to the services container. | ||
| services.AddMvc(); |
There was a problem hiding this comment.
Undo this. The site is intentionally testing e2e behaviour with the Antiforgery property set to false.
| <form></form> | ||
| <form action="/HtmlGeneration_Home/Form" method="post"></form> | ||
| <form><input name="__RequestVerificationToken" type="hidden" value="{0}" /></form> | ||
| <form action="/HtmlGeneration_Home/Form" method="post"><input name="__RequestVerificationToken" type="hidden" value="{0}" /></form> |
There was a problem hiding this comment.
Amazed we only have two <form> elements without attributes we recognized. That's sad.
| metadataProvider: metadataProvider); | ||
| var expectedPostContent = HtmlContentUtilities.HtmlContentToString( | ||
| htmlGenerator.GenerateAntiforgery(viewContext), | ||
| HtmlEncoder.Default); |
| // Assert | ||
| Assert.Empty(output.Attributes); | ||
| Assert.Empty(output.PreContent.GetContent()); | ||
| Assert.True(output.Content.GetContent().Length == 0); |
There was a problem hiding this comment.
Assert.Empty(output.Content.GetContent())
| Assert.Empty(output.Attributes); | ||
| Assert.Empty(output.PreContent.GetContent()); | ||
| Assert.True(output.Content.GetContent().Length == 0); | ||
| Assert.Equal(expectedPostContent, output.PostContent.GetContent()); |
There was a problem hiding this comment.
Why no confirmation that PreElement and PostElement remain empty?
There was a problem hiding this comment.
Just staying consistent with the other tests. I'll add though.
NTaylorMullen
force-pushed
the
nimullen/6006
branch
from
6c3ef52
to
b4b3151
Compare
|
🆙 📅 |
| { | ||
| if (string.Equals(attribute.Name.LocalName, "action", StringComparison.OrdinalIgnoreCase)) |
There was a problem hiding this comment.
Agree confirming the action attribute exists was useless. Nice your new tests found that 👍
| #endif | ||
| } | ||
|
|
||
|
|
| @@ -0,0 +1,5 @@ | |||
| <form><input name="__RequestVerificationToken" type="hidden" value="{0}" /></form> | |||
There was a problem hiding this comment.
There's a bug here. The default method is get and so no antiforgery token should be added by default. Line 248 in the tag helper needs to handle null or empty too.
| <form method="get"></form> | ||
| <form method="post"><input name="__RequestVerificationToken" type="hidden" value="{0}" /></form> | ||
| <form action="/Foo/Bar/Baz.html" method="get"></form> | ||
| <form action="/Foo/Bar/Baz.html" method="post"></form> |
There was a problem hiding this comment.
Tag helper should have added an antiforgery token, changing the behaviour when user includes action attribute. Need to make a change around line 168 in the tag helper to match the updated line 248.
There was a problem hiding this comment.
Talked with Damian about this. Since the user specified action, they're opting out of our TagHelper ways. Therefore, don't generate a token.
| [HtmlTargetElement("form", Attributes = ControllerAttributeName)] | ||
| [HtmlTargetElement("form", Attributes = RouteAttributeName)] | ||
| [HtmlTargetElement("form", Attributes = RouteValuesDictionaryName)] | ||
| [HtmlTargetElement("form", Attributes = RouteValuesPrefix + "*")] |
There was a problem hiding this comment.
Let's be explicit rather than use the naming convention to target <form> elements: Stick with [HtmlTargetElement("form")].
NTaylorMullen
force-pushed
the
nimullen/6006
branch
from
b4b3151
to
c10ce6c
Compare
|
🆙 📅 |
| <form method="get"></form> | ||
| <form method="post"><input name="__RequestVerificationToken" type="hidden" value="{0}" /></form> | ||
| <form action="/Foo/Bar/Baz.html" method="get"></form> | ||
| <form action="/Foo/Bar/Baz.html" method="post"></form> |
There was a problem hiding this comment.
Tag helper should have added an antiforgery token, changing the behaviour when user includes
actionattribute. Need to make a change around line 168 in the tag helper to match the updated line 248.
Talked with Damian about this. Since the user specified
action, they're opting out of our TagHelper ways. Therefore, don't generate a token.
Let's chat quickly tomorrow. I agree the user has opted out of the tag helper generating an action in this case. But, I'm not sure why <form action="" method="post"> is any more an opt out of antiforgery than <form method="post"> is -- both submit the same data to the same URL.
NTaylorMullen
force-pushed
the
nimullen/6006
branch
from
c10ce6c
to
8ea8521
Compare
|
🆙 📅 |
| { | ||
| // User is using the FormTagHelper like a normal <form> tag that has an empty action attribute. | ||
| // i.e. <form action="" method="post"> | ||
| antiforgeryDefault = true; |
There was a problem hiding this comment.
- Don't set
antiforgeryDefaultto its default again. - Mention the
action="@Url.Action(action: "Index", controller: "Home")possibility in the comments. - nit: "e.g." not "i.e." -- don't know anything more than
actionisn't"/A/Non-empty/String".
There was a problem hiding this comment.
What's special about the @Url.Action case? It's also an HtmlString
There was a problem hiding this comment.
Shoot. It actually returns a plain string. I thought (hoped) it avoided concatenation and returned a more-segmented IHtmlContent.
Just mention the non-string / non-HtmlString possibility. It's not necessarily an empty string or HtmlString.Empty.
| { | ||
| // User is using the FormTagHelper like a normal <form> tag. Antiforgery default should be false to | ||
| // not force the antiforgery token on the user. | ||
| antiforgeryDefault = false; |
There was a problem hiding this comment.
If we leave this alone (pending Monday's discussion), update the comments to better distinguish things from the if case e.g. User is likely using the <form> element to submit to another site. Do not send an antiforgery token to unknown sites.
There was a problem hiding this comment.
Getting this in. If the decision is changed we can account for that afterwards.
| @@ -4,6 +4,8 @@ | |||
| using System; | |||
| using System.Collections.Generic; | |||
| using System.ComponentModel; | |||
| using System.IO; | |||
- Added functional test to validate that non-attributed form tags have an antiforgery input generated. Re-generated baseline to reflect changes. - Added a unit test to validate that parameterless `FormTagHelper`s behave as expected. #6006
NTaylorMullen
force-pushed
the
nimullen/6006
branch
from
8ea8521
to
3d895a9
Compare
FormTagHelpers behave as expected.#6006